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Abstract 


The interval discrete logarithm problem is defined as follows: Given some g,h in a 
group G, and some TV E N such that g z = h for some z where 0 < z < N, find z. 

At the moment, kangaroo methods are the best low memory algorithm to solve the 
interval discrete logarithm problem. The fastest non parallelised kangaroo methods 
to solve this problem are the three kangaroo method, and the four kangaroo method. 
These respectively have expected average running times of (1.818 + o(l))y/~N, and 
(1.714 + o(l))y/~N group operations. 

It is currently an open question as to whether it is possible to improve kangaroo methods 
by using more than four kangaroos. Before this dissertation, the fastest kangaroo 
method that used more than four kangaroos required at least 2 y/~N group operations 
to solve the interval discrete logarithm problem. In this thesis, I improve the running 
time of methods that use more than four kangaroos significantly, and almost beat the 
fastest kangaroo algorithm, by presenting a seven kangaroo method with an expected 
average running time of (1.7195 + o( l))y/~N ± 0(1) group operations. The question, 
’Are five kangaroos worse than three?’ is also answered in this thesis, as I propose a 
five kangaroo algorithm that requires on average (1.737 + o{l))y/~N group operations 
to solve the interval discrete logarithm problem. 
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Chapter 1 

Introduction 


1.1 Introduction 


The interval discrete logarithm problem (IDLP) is defined in the following manner: 
Given a group G, some g,h E G, and some JVgN such that g z = h for some 0 < z < N, 
find z. In practice, N will normally be much smaller than |G|, and g will be a generator 
of G. The probability that z takes any integer value between 0 and N — 1 is deemed 
to be uniform. 

To our current knowledge, the IDLP is hard over some groups. Examples of such 
groups include Elliptic curves of large prime order, and Z*, where p is a large prime. 
Hence, cryptosystems such as the Boneh-Goh-Nissim homomorphic encryption scheme 
[1] derive their security from the hardness of the IDLP. The IDLP also arises in a wide 
range of other contexts. Examples include, counting points on elliptic curves |4], small 
subgroup and side channel attacks [5,6], and the discrete logarithm problem with c-bit 
exponents [4]. The IDLP is therefore regarded as a very important problem in contem¬ 
porary cryptography. 

Kangaroo methods are the best generic low storage algorithm to solve the IDLP. In 
this thesis, I examine serial kangaroo algorithms, although all serial kangaroo methods 
can be parallelised in a standard way, giving a speed up in running time in the process. 
Currently, the fastest kangaroo algorithm is the 4 kangaroo method of Galbraith, Pol¬ 
lard and Ruprai [3]. On an interval of size N, this algorithm has an estimated average 
running time of (1.714 + o(l))\^N group operations and requires 0(log(N)) memory. 
It should be noted that over some specific groups, there are better algorithms to solve 
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the IDLP. For example, over groups where inversion is fast, such as elliptic curves, 
an algorithm proposed by Galbraith and Ruprai in [2] has an expected average case 
running time of (1.36 + o(l)) y/~N group operations, while requiring a constant amount 
of memory. This method is much slower than the four kangaroo method over groups 
where inversion is slow however. Baby-step giant-step algorithms, which were first pro¬ 
posed by Shanks in [10], are also faster than kangaroo methods. The fastest Baby-step 
Giant-step algorithm was illustrated by Pollard in [8], and requires on average 4/3\/iV 
group operations to solve the IDLP. However, these algorithms are unusable over large 
intervals, since they have 0{\fN) memory requirements. If one is solving the IDLP in 
an arbitrary group, on an interval of size N, one would typically use baby-step giant- 
step algorithms if N < 2 30 , and would use the four kangaroo method if IV > 2 30 . 

The first kangaroo method was proposed by Pollard in 1978 in [9]. This had an esti¬ 
mated average running time of 3.3 y/N group operations [11]. The next improvement 
came from van Oorshot and Wiener in [12,13], with the introduction of an algorithm 
with an estimated average running time of (2 + o(l))y/~N group operations. This was 
the fastest kangaroo method for over 15 years, until Galbraith, Pollard and Ruprai 
published their three and four kangaroo methods in [3]. These respectively require on 
average (1.818 + o(l))y/N, and (1.714 + o(l))v^ group operations to solve the IDLP. 
The fastest kangaroo method that uses more than four kangaroos is a five kangaroo 
method, proposed in [3]. This requires at least 2y/~N group operations to solve the 
IDLP. 

It is currently believed, but not proven, that the four kangaroo method is the optimal 
kangaroo method. This is a major gap in our knowledge of kangaroo methods, and so 
the main question that this dissertation attempts to answer is the following. 


• Question 1: Can we improve kangaroo methods by using more than four kan¬ 
garoos? 


This dissertation also attempts to answer the following lesser, but also interesting prob¬ 
lem. 


• Question 2: Are five kangaroos worse than three? 


In this report, I attempt to answer these questions, by investigating five kangaroo 
methods in detail. I then state how a five kangaroo method can be adapted to give a 
seven kangaroo method, giving an improvement in running time in the process. 



Chapter 2 

Current State of Knowledge of 
Kangaroo Methods 


In this section I will give a brief overview of how kangaroo methods work, and of our 
current state of knowledge of kangaroo algorithms. 


2.1 General intuition behind kangaroo methods 


The key idea behind all kangaroo methods known today, is that if we can express any 
r 6 Gin two of the forms out of g p h,g q or g r h ~ l , where p,q,r G N, then one can find z, 
and hence solve the IDLP. In all known kangaroo methods, we have a herd of kangaroos 
who randomly ’hop’ around various elements of G. Eventually, 2 different kangaroos 
can be expected to land on the same group element. If we define the kangaroo’s walks 
such that all elements of a kangaroo’s walk are in one of the forms out of g p h,g q or 
g r h~ 1 , then when 2 kangaroos land on the same group element, the IDLP may be able 
to be solved. 


7 



8 


CHAPTER 2. KANGAROO METHODS 


2.2 van Oorshot and Weiner Method 


The van Oorshot and Weiner method of [12,13] was the fastest kangaroo method for 
over 15 years. In this method, there is one ’tame’ kangaroo (labelled T), and one ’wild’ 
kangaroo (labelled W). Letting i, and Wi respectively denote the group elements T 
and IT are at after i ’jumps’ of their walk, T and IT’s walks are defined recursively in 
the following manner. 


• How T’s walk is defined 

N 

— T starts his walk at to = 9 2 • 
— ti +1 = Ug n , for some n E N. 

• How IT’s walk is defined 


— IT starts his walk at w o = h. 

— Wi + 1 = Wig m , for some m E N. 


One should note also that the algorithm is arranged so that T and IT jump alter¬ 
nately. Clearly, all elements of T’s walk are expressed in the form g q , while all elements 
of IT’s walk are expressed in the form g p h, where p,q € N. Hence when T and IT both 
visit the same group element, we will have w l = tj, for some i . j E N, from which we 
can obtain an equation of the form g q = g p h , for some p,g£N, which implies z = q — p. 
Now if we structure the algorithm so that the amount each kangaroo jumps by at each 
step is dependent only on its current group element, then from the point where both 
kangaroos have visited a common group element onwards, both kangaroos walks will 
follow the same path. As a consequence of this, we can detect when T and IT have 
visited the same group element, while only storing a small number of the elements of 
each kangaroo’s walk. All kangaroo methods employ this same idea, and this is why 
kangaroo methods only require 0(log(N)) memory. 

To arrange the algorithm so that the amount each kangaroo jumps by at each step 
is dependent only on its current group element, we create a hash function H, which 
randomly assigns a ’step size’ to each element of G. When a kangaroo lands on some 
x E G, the amount it jumps forward by at that step is H{x) (so its current group 
element is multiplied by the precomputed value of g H ' x '). To use this property so 
that the algorithm requires only 0(log(A r )) memory, we create a set of ’distinguished 


1 Note that the method assumes N is even, so N/2 £ N 



2.2. VAN OORSHOT AND WEINER METHOD 


9 


points’, D , where D C G. D is defined such that Vx £ G, the probability that x £ D 
is c\og(N)/'/N, for some c > 0. If a kangaroo lands on some x £ D, we first check 
to see if the other kangaroo has landed on x also. If it has, we can solve the IDLP. 
If the other kangaroo hasn’t landed on x, then if T is the kangaroo that landed on 
x, we store x, the q such that x = g q , and a flag indicating that T landed on x. On 
the other hand, if W landed on x, we store x, the p such that g p h = x, and a flag 
indicating that W landed on x. Hence we can only detect a collision after the kanga¬ 
roos have visited the same distinguished point. At this stage, the IDLP can be solved. 
A diagram of the process the algorithm undertakes in solving the IDLP is shown below. 


Wild kangaroos walk 


/ 


Wild kangaroos starting position Tame k / ngar00 ' s 
starting position 


The back kangaroo lands 
Tame kangaroos walk on , distinguished point , 

and the IDLP can be solved. 



The point where the back kangaroo 
catches up to the starting position of the 
front kangaroo. This is when Stagel finishes, 


The back kangaroo lands on an element of 
the front kangaroos walk. From this point 
onwards, the back kangaroo will be following 
a path that has already been traversed by the 
front kangaroo 


To analyse the running time of the van Oorshot and Wiener method, we break the 
algorithm into the three disjoint stages shown in Stage 1, Stage 2, and Stage 3 below. 
In this analysis (and for the remainder of this thesis), I will use the following definitions. 

Step. A period where each kangaroo makes exactly one jump. 

Position (of a kangaroo). A kangaroo is at position p if and only if it's current group 
element is g p . For instance, T starts his walk at position N/2. 

Distance (between kangaroos). The difference between two kangaroos positions. 

We analyse the running time of the algorithm (and of all kangaroo methods) by 
considering the expected average number of group operations it requires to solve the 
IDLP. The reason for analysing the running time using this metric is explained in 
section 2.3. 


Stage 1. The period between when the kangaroos start their walks, and when 
the back kangaroo B catches up to the front kangaroo F’s starting position. Now 
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since the probability that z takes any integer value [0, N) is uniform, the average 
distance between B and F before they start their walks is JV/4. Therefore, the 
expected number of steps required in stage 1 is N/Am. where m is the average 
step size of the kangaroos walks 

• Stage 2. This is the period between when stage 1 finishes, and B lands on a 
group element that has been visited by F. John Pollard showed experimentally 
in [8] that the number of steps required in this stage is m. One can see this 
intuitively in the following way. Once B has caught up to F ’s starting position, 
he will be jumping over a region in which F has visited on average 1/m group 
elements. Hence the probability that F lands on a element of F ’s path at each 
step in Stage 2 is 1/m. Therefore, we can expect B ’s walk to join with T’s after 
m steps. 

• Stage 3. This is the period between when stage 2 finishes, and B lands on 

a distinguished point. Since the probability that any x £ G is distinguished is 
clog(JV)/ VN, for some c > 0, we can expect B to make elog ^/,y]y = / c 

steps in this stage. 


Hence we can expect the algorithm to require N/Am + m + y/~N /clog(TV) steps to solve 
the IDLP. Now since each of the two kangaroos make one jump at each step, and in 
each jump a kangaroo makes we multiply two already known group elements together, 
each step requires two group operations. Hence the algorithm requires 2 (N/Am + 
m + \/N /clog(TV)) group operations to solve the IDLP. The optimal choice of m in 
this expression is m = \/N /2, which gives an expected average running time of (2 + 
l/c\og{N))\fN = (2 + o(1))a/N : group operations. 

Note that this analysis (and the analysis of the three and four kangaroo methods) 
ignores the number of group operations required to initialise the algorithm (in the 
initialisation phase we find the starting positions of the kangaroos, assign a step size to 
each x £ G, and precompute the group elements g H ^ for each x £ G). In section 3.3, 
I show however that the number of group operations required in this stage is constant. 


2.3 How we analyse the running time of Kangaroo Meth¬ 
ods 


I can now explain why we analyse running time of kangaroo methods in terms of the 
expected average number of group operations they require to solve the IDLP. 
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Why only consider group operations? Generally speaking, in kangaroo methods, 
the computational operations that need to be carried out are group operations (e.g. 
multiplying a kangaroo’s current group element to move it around the group), hashing 
(e.g. computing the step size assigned to a group element), and memory access com¬ 
parisons (e.g. when a kangaroo lands on a distinguished point, checking to see if that 
distinguished point has already been visited by another kangaroo). The groups which 
one is required to solve the IDLP over are normally elliptic curve groups of large prime 
order, or Z*, for a large prime p [11]. Group operations over such groups require far 
more computational operations than hashing, or memory access comparisons do. Hence 
when analysing the running time, we get an accurate approximation to the number of 
computational operations required by only counting the number of group operations. 
Counting the number of hashing operations, and memory access comparisons increases 
the difficulty of analysing the running time substantially, so it is desirable to only count 
group operations. 

Why consider the expected average number of group operations? In the van 

Oorshot and Weiner method (and in all other kangaroo methods), the hash function 
which assigns a step size to each element of G is chosen randomly. Now for fixed z and 
varied hash functions, there are many possibilities for how the walks of the kangaroos 
will pan out. Hence in practise, the number of group operations until the IDLP is solved 
can take many possible values for each z. Hence we consider the expected running time 
for each z, as being the average running time across all possible walks the kangaroos 
can make for each 2 . 

Now z can take any integer value between 0 and N — 1 with equal probability. Hence 
we refer to the expected average running time, as being the average of the expected 
running times across all zGffin the interval [0, N). 


2.4 Three Kangaroo Method 


The next major breakthrough in kangaroo methods came from Galbraith, Pollard and 
Ruprai in [3] with the introduction of their three kangaroo method. The algorithm 
assumes that g has odd order, and that 10|IV. The method uses three different types 
of kangaroos, labelled W 1 , W 2 and T. All of the elements of Rj, W 2 and T’s walks are 
respectively expressed in the forms g p h, g r hr *, and g q , where p,q,r € N. If any pair 
of kangaroos collides, then we can express some x £ G in 2 of the forms out of g p h,g q 
and g r h~ l . If we have x = g p h = g q , then z = p — q, while if we have x = g q = g r h ~ 1 , 
then z = r — q. On the other hand, if we have x = g p h = g q h _1 , then since g has odd 
order, we can solve z = 2 ~ 1 (q — p) mod (|g|). Hence a collision between any pair of 
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kangaroos can solve the IDLP. 

To enable us to express the elements of the kangaroos walks in these ways, as in the 
van Oorshot and Wiener method, we create a hash function H which assigns a step 
size to each element of G. Defining W\ % i,W 2 , t and T % to respectively denote the group 
element W±, W 2 and T are at after i jumps in their walk, we then define the walks of 
the kangaroos in the following way. 


• How W\ ’s walk is defined 

— W\ starts at the group element W\ t o = g~ N ^ 2 h 

- To move W\ to the next step, W\^ + \ = W\^g H ^- Wl ’ i+ d> 

• How HVs walk is defined 

— We start W 2 at the group element W 2 ,o = g N ^ 2 h~ l 

- To move W 2 to the next step, = W 2 ,ig H ^ W ’ 1 ^ 

• How T’s walk is defined 

- We start T at T 0 = g 3N / 10 . 

— To move T to the next step, T i+ 1 = T ig H ( Tl ) 


As in the van Oorshot and Wiener method, the algorithm is arranged so that the 
kangaroos jump alternately. One can see that W 1 , W 2 , and T start their walks respec¬ 
tively at the positions 2 : — N/2,N/2 — z, and 31V/10. Hence if we let dx,WndT,w 2 ^ and 
dwi,w 2 be the functions for the initial distances between T and Wj, T and W 2 , and 
Wi and W 2 over all 0 < z < N, then dx^wAz) = |(z — N/2) — (3A/10)| = \z — 4iV/5|, 
dr,w 2 ( z ) = |-W/5 — z |, and dw 1 ,w 2 ( z ) = |2 z — N |. We also define dc to be the func¬ 
tion which denotes the initial distance between the closest pair of kangaroos over all 
0 < z < N. Hence dc(z) = min {dr,W\ {z), dr.w 2 ( z )^ dw t ,w 2 ( z )}■ The starting positions 
of the kangaroos in this method are chosen so that the average distance between the 
closest pair of kangaroos (the average of dc(z) for 0 < 2 < N) is minimised. A diagram 
of the distance between all pairs of kangaroos, and of dc is shown below. 
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The following table shows the the formula for dc, what C (the closest pair of kan¬ 
garoos) is, what B (the back kangaroo in C ) is, and what F (the front kangaroo in C ) 
is, across all 0 < z < N. 



dc{z ) 

C 

B 

F 

0<z< N/5 

dT,w 2 ( z ) = ^V/5 — z 

T and W -2 

T 

W 2 

N/ 5 < z < 2N/5 

dT,w 2 ( z ) = z ~ N /5 

T and W -2 

w 2 

T 

2N/5 <z< N/2 

dwi,w 2 = N — 2z 

Wi and W 2 

W, 

W 2 

N/2 <z< 3N/5 

dwi,w 2 = 2z — N 

Wi and W 2 

w 2 

Wi 

31V/5 < ^ < AN/5 

dr,w 1 ( z ) = 4:N/5 — z 

T and Wi 

W\ 

T 

41V/5 < ^ < N/2 

dr,w i(^) = z — 41V/5 

T and W] 

T 

W\ 


The expected number of steps until the IDLP is solved from a collision between the 
closest pair can be analysed in the same way as the running time was analysed in the 
van Oorshot and Weiner method. 


• Stage 1. The period between when the kangaroos start their walks, and when 
B catches up with F 1 s starting position. The average of dc can easily be seen to 
be N/ 10. Hence if we let m be the average step size used, the expected number 
of steps for B to catch up to F ’s starting position is N/lOm. 

• Stage 2. The period between when stage 1 finishes, and when B lands on an 
elements of F ’’s walk. The same analysis as was applied in the van Oorshot and 
Weiner method shows that the expected number of steps required in this stage is 
m. 
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• Stage 3. The period between when B lands on an element of F ’s path, and B 
lands on a distinguished point. In the three kangaroo method, the probability 
of a group element being distinguished is the same as it is in the van Oorshot 
and Wiener method, so the expected number of steps required in this stage is 
VN/c\og{N). 


If we make the pessimistic assumption that the IDLP will always be solved from a 
collision between the closest pair of kangaroos, we can expect the algorithm to require 
N/10m + m + '/N /clog(TV) steps to solve the IDLP. This expression is minimised when 
m is taken to be i/IV/10. In this case, the algorithm requires (2\/l/10 + o(l)))VJSr 
steps to solve the IDLP. Since there are three kangaroos jumping at each step, the 
expected number of group operations until the IDLP is solved is (1.897 + o(l))y/N 
group operations. 

When Galbraith, Pollard and Ruprai considered the expected number of group oper¬ 
ations until the IDLP was solved from a collision between any pair of kangaroos (so 
not just from a collision between the closest pair), they found through a complex anal¬ 
ysis, that the three kangaroo method has an expected average case running time of 
(1.818 + o(l))\/lV group operations. This is a huge improvement on the running time 
of the van Oorshot and Weiner method. 


2.5 Four Kangaroo Method 


The Four kangaroo method is a very simple, but clever extension of the 3 kangaroo 
method. As in the three kangaroo method, we start three kangaroos, Tj, W\ and Wi at 
the positions 3Ar /io, z — iV / 2 , and N /‘2 — z respectively. Here however, we add in one extra 
tame kangaroo (T 2 ), who starts his walk at 3Ar /io + 1. One can see that the starting 
positions of W\ and W 2 have the same parity, while exactly one of Ti and TVs starting 
positions will have the same parity as W\ and HVs starting positions. Therefore, if the 
step sizes are defined to be even, then in any walk, both of the wild, and one of the 
tame kangaroos will be able to collide, while one of the tame kangaroos will be unable 
to collide with any other kangaroo. Therefore, the three kangaroos that can collide are 
effectively simulating the three kangaroo method, except over an interval of half the 
size. Hence, from the analysis of the three kangaroo method, the three kangaroos that 
can collide in this method require (1.818 + o(\))y/N/2 group operations to solve the 
IDLP. However, since there is one ’useless’ kangaroo that requires just as many group 
operations as the three other useful kangaroos, the expected number of group operations 
required to solve the IDLP by the four kangaroo method is ( 3 + 1 )/3(1.818+o(l))y / A r /2 = 
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(1.714 + o(l))VN group operations. 


2.6 Can we do better by using more kangaroos? 


I now return to the main question this dissertation seeks to address. The answer to this 
question is not clear through intuition, since there are arguments both for and against 
using more kangaroos. 

On the one hand, if one uses more kangaroos, we both increase the number of pairs 
of kangaroos that can collide, and we can make the kangaroos closer together. There¬ 
fore, by using more kangaroos, the number of steps until the first collision occurs will 
decrease. However, by increasing the number of kangaroos, there will more kangaroos 
jumping at each step, so the number of group operations required at each step increases. 
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Chapter 3 

Five Kangaroo Methods 


This section will attempt to answer the two main questions of this dissertation (see 
Question 1 and Question 2 in the introduction), by investigating kangaroo methods 
which use five kangaroos. 

In this section, I will answer Question 2, and partially answer Question 1, by pre¬ 
senting a five kangaroo algorithm which requires on average (1.737 + o(l))y/N ± 0(1) 
group operations to solve the IDLP. To find a five kangaroo algorithm with this running 
time, I answered the following questions, in the order stated below. 


• How should the walks of the kangaroos be defined in a 5 kangaroo algorithm? 

• How many kangaroos of each type should be used? 

• Where abouts should the kangaroos start their walks? 

• What average step size should be used? 


3.1 How the Walks of the Kangaroos are Defined 


I will first investigate 5 kangaroo methods where a kangaroo’s walk can be defined in 
one of the same three ways as they were in the three and four kangaroo methods. This 
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means, that a kangaroo can either be of type Wild1,Wild 2, or Tame, where the types 
of kangaroos are defined in the following way. 


• Wildl Kangaroo - A kangaroo for which we express all elements of its walk in 
the form g p h, where p£N. 

• Wild2 Kangaroo - A kangaroo for which we express all elements of its walk in 
the form g r h -1 , where r £ N. 

• Tame Kangaroo - A kangaroo for which we express all elements of its walk in 
the form g q , where gGff. 


As in the three and four kangaroo methods, there will be a hash function H which 
assigns a step size to each x £ G. To walk the kangaroos around the group, if x is 
a kangaroos current group element, the group element it will jump to next will be 
xg H ( x ) . As in all previous kangaroo methods, the algorithm will be arranged so that 
the kangaroos each take one jump during each step of the algorithm. 


3.2 How many kangaroos of each type should be used? 


If we let N\y i , Nw 2 and Nt respectively denote the number of wildI, wild2, and 
tame kangaroos used in any 5 kangaroo method. Then Nwi + N\y 2 + Nt = 5. The 
following theorem will prove to be very useful in working out how many kangaroos of 
each type should be used, given this constraint. 

Theorem 3.2. Let A be any 5 kangaroo algorithm, where the kangaroos can be of type 
Tame, WildI, or Wild2. Then the expected number of group operations until the clos¬ 
est ’useful’ pair of kangaroos in A collides is no less than 10y 2 W TiN W o+ 4 N t (n w1 +n T 2 ) 
(A pair is called useful if the IDLP can be solved when the pair collides). 


My proof of this requires Lemma 3.2.1, Lemma 3.2.2, Lemma 3.2.3, Lemma 3.2.4, 
and Lemma 3.2.5. Before stating and proving these lemmas, I will make the following 
two important remarks. 


Remark 1. I showed in my description of the three kangaroo method how a 
collision between kangaroos of different types could solve the IDLP. On the other 
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hand, we can gain no information about z from a collision between kangaroos of 
the same type. Hence a pair of kangaroos is ’useful’ if and only if it features two 
kangaroos of different types. 

• Remark 2. In this section, for any choice of starting positions, I will let d (where 
d is a function of z) be the function that denotes the initial distance between the 
closest useful pair of kangaroos across all 0 < z < N. d is analogous to the 
function dc in the three kangaroo method, where for any z with 0 < z < N, 
d(z) will be defined to be the smallest distance between pairs of kangaroos of 
different types, at that particular z. Note that d(z) is completely determined by 
the starting positions of the kangaroos. 

Lemma 3.2.1. For any choice of starting positions in a 5 kangaroo algorithm, the 
minimal expected number of group operations until the closest useful pair collides is 
10 sjAve(d(z)), where Ave(d(z)) is the average starting distance between the closest 
useful pair of kangaroos over all instances of the IDLP (i.e. over all z € N where 
z G [0, N) = [0,1V- i];. 


Proof of Lemma 3.2.1. Let A be a 5 kangaroo algorithm that starts all kangaroos at 
some specified choice of starting positions, and let m be the average step size used in 
A. Also let d(z) be defined as in remark 2. For each z with 0 < z < N, using an 
argument very similar to that provided in section 2.2, the expected number of steps 
until the closest useful pair collides for this specific z is d(z)/m + m. Since 5 kangaroos 
jump at each step, the expected number of group operations until the closest useful 
pair collides for this z is 5 (d(z)/m + m). Therefore, the expected average number of 
group operations until the closest useful pair collides across all instances of the IDLP 
(i.e. across all z£N with 0 < z < N) is 



4 


N -1 

E d(z) 
2 = 0 


+ m 


= 5 


^Ave(d(z)) 


+ m 


V 


m 


m 
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Now simple differentiation shows that the m that minimises this is m = \JAve(d(z)). 
Substituting in m = \JAve{d(z)) gives the required result. □ 

Lemma 3.2.2. For each z, d(z) is either of the form |Ci±z| or |C2±2z|, where C\ and 
C 2 are constants independent of z. Furthermore, letting p gi and p 92 respectively denote 
the number of pairs with initial distance function of the form \C ± z\, and \C ± 2z\, 
P g 1 = Nt(Nwi + Nw 2 ), and p g2 = NwiNy/ 2 - 


Proof of Lemma 3.2.2. Since a pair of kangaroos is useful if and only if it features 
two kangaroos of different types, a pair is useful if and only if it is a tame/wildI, a 
tame/wild2, or a wildI/wild2 pair (here a type1/type2 pair means a pair of kan¬ 
garoos featuring one kangaroo of typeI, and another kangaroo of type2). Since 
all wild1,wild2 and tame kangaroos start their walks respectively at group ele¬ 
ments of the form g p h,g r h ~ 1 and g q , for some p,q,r G N, the starting positions of 
all WildI,Wild2 and Tame kangaroos will be of the forms p + z, r — z, and q re¬ 
spectively. Hence the initial distance functions between tame/wildI, tame/wild2, 
and wild1/wild2 pairs are respectively \p + z — q\, \r — z + q |, and \p + z — (r — z )|. 
Therefore, the distance function between all tame/wildI and tame/wild2 pairs can 
be expressed in the form \C\ ± z\, where C\ is independent of z. The number of such 
pairs is NxN\y\ + NtN\v 2 - On the other hand, the initial distance function between a 
wild1/wild2 pair can be expressed in the form |C , 2 ± 2 z|, where C 2 is also independent 
of z. The number of such pairs is Nyy\Nw 2 - □ 


From the graph of dc in section 2.4, we can see that the function for the distance 
between the closest pair of kangaroos in the three kangaroo method is a sequence of 
triangles. The same is generally true in five kangaroo methods. In lemma 3.2.3, I will 
show that the area under the function d is minimised in five kangaroo methods when 
d is a sequence of triangles. 

Lemma 3.2.3. Suppose dip, d\ t 2, di, 3 , d pi and d 2 .i 1 ^ 2 , 2 , •••, d 2 )P2 are functions of z, 
defined on the interval [0, IV), where for all i and j, dij(z) = \Ci ± z\, and d 2 } j(z) = 

| C 2 ± 2z\, where Ci and Cj are constants. Let d(z) be defined such that V 0 < z < N, 
d(z) = min{di t i(z),di } 2(z), ■■■,di tPl (z),d2 t i(z), ...,d2, P 2 (z)}. Then assuming that we 
have full control over the constants Ci and Cj, in every case where d is not a sequence 
of triangles, the area under d can be decreased by making d into a sequence of triangles. 
This can be done by changing some of the constants Ci and Cj. 

Proof. By d being a sequence of triangles, I mean that if we shade in the region beneath 
d, then the shaded figure is a sequence of triangles (see figure 3.2(a)). Now d is a 



3.2. HOW MANY KANGAROOS OF EACH TYPE SHOULD BE USED? 


21 


sequence of triangles if and only if Si ,£2 and S 3 hold, where Si is the statement 
’d(O) = 0, or d(0) > 0 and d'( 0) < O’, S 2 is the statement 'd{N — 1) = 0, or d(N — 1) > 0 
and d'(N — 1) > O’, and S 3 is the statement ’for every z where the gradient of d changes, 
the sign of the gradient of d changes’. This is equivalent to the statement, ’for every z 
where the function which is smallest changes (from say d ai ,bi to d a2t b 2 ), the gradients 
of both d a 1,61 and d a2 ,b 2 have opposite sign at z\ 

Hence if d is not a sequence of triangles, d must not satisfy at least one of the properties 
out of Si (see figure 3.2(b)),S 2 (see figure 3.2(c)), or S 3 (see figures 3.2 (d) and (e)). 



4 


d 



Figure 3.2(b) 


Figure 3.2(c) 



Figure 3.2(d): Case where there exists a x with 0 < x < N 
where the gradient of d changes from a negative, to a 
different negative value. 



where the gradient of d changes from a negative, to a 
different negative value. 
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First consider the case where Si doesn’t hold. Then d(0) > 0, and dl{ 0) > 0. Let 
dco be the function which is smallest out out of all 

{di,i(z),di 2 (z),...,di jPl (z),d 2 ,i(z),...,d 2 , P2 (z)} at z = 0. Hence d c o = \C + gz\, where 
C > 0, and g is 1 or 2, and d(z) = dc(z) for all z between 0 and p, for some p < N. 
If we change dco so that dco = \d z \i and define all other functions apart from dco i n 
the same way, then the area under d decreases by Cp over the region [0, p] (see figure 
3.2(f)), while the area under d over [p,IV) will be no larger than it was before dco{ z ) 
was redefined to be \gz\. Hence the area under d decreases by at least Cp over [0,1V). 
Therefore, in every case where S\ doesn’t hold, we can decrease the area under d by 
redefining d so that Si holds (PropI). 



Shaded trapezium 

Figure 3.2(f) 



Figure 3.2(g) shaded trapezium. 


Similarly, in the case where S 2 doesn’t hold, d(N — 1) = C > 0 and d'(N — 1) < 0. 
If dcN is the function such that dcN{N — 1) = d(N — 1), then dcN^z) = \C — gz\, 
where C > g(N — 1) (since dcN{N — 1) >0). Hence if we redefine dcN such that 
dcN(z) = | g(N — 1) — gz |, if p is defined such that dcN(z) = d(z) V p < z < N (before 
dcN(z) was defined to be | g(N — 1) — gz |), then the area under d decreases by at least 
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(N — 1 —p)(C — gN) (see figure 3.2(g)). Therefore, in every case where S 2 doesn’t hold, 
we can decrease the area under d by redefining d so that S 2 holds (Prop2). 



Figure 3.2(h) 

Now consider the case where S 3 doesn’t hold. Then there exists an x with 0 < x < N, 
and functions d a 1>bl and d a2yb2 such that the function which is smallest (so the function 
which d equals) changes from d a ^ to d a 2 ,b 2 at x i and d! bl (x) and d! b 2 (x ) have the 
same sign. 

In the case where d' aiM (x) < 0 and d' a 2 b 2 {x) < 0, (see figure 3.2(h)) d' a 2 b 2 {x) < d' aiM (x) 
(since d a 2 t b 2 (z) > d a ,,b\ (z) for z < x with z ~ x, and d a 2 ,b 2 (z) < d a , >b] (z) for z > x 
with z ~ x. Hence d a 2 ^ 2 {x)' = —2 and d ai} b 1 (x)' = —1. Therefore d a 2 t b 2 (z) = \C 2 — 2z\, 
and d a , , bl (z) = \C\ — z\ for some C\ , 62 > 0. Now I will let [s,f] be the region 
such that for all z where s < z < /, d(z) = d aii b\{ z ) or d(z) = d a 2 tb 2 (z), and h be 
such that h = d aij 6 1 (a:) = d a 2 t b 2 (x). Now if we fix d ait b 1 (and all other functions in 
{di t i(z),d li 2 (z), ...,di, Pl (z),d 2 ,i(z), ...,d 2 , P 2 (z)}), and allow d a2)b2 to vary (by varying 
the constant C 2 ), then assuming d a ^ and d a 2 ) b 2 intersect somewhere on the region 
[s, /] when both d! b < 0 and d' ao b2 < 0, then the area under d over the region [s, /] 
is determined purely by the height of this intersection point (Mathematically, it can be 
easily shown that if we define H to be the height of the intersection point of d ai ^ bl and 
d a 2 ,b 2 when d alt b 1 and d a 2 t b 2 are decreasing, and Al s j to be the area under d ai) b 1 over 
[s,/], then the area under d over [s,f] is Al s j — 2H 2 /9). Now suppose we redefine 
d a 2 ,b 2 so that d a 2 ,b 2 (z ) = \C 2 — (x — s) — 2z\ (as in figure 3.2(h)). Then d ai) b 1 and d a2 ^ 2 
intersect with negative gradient when z = s, and the height of this intersection point 
is h + (x — s). The following basic lemmas will be very useful for the remainder this 
proof. 

Lemma 3.2.3.1. If s > 0, d'{z) > 0 for z < s, with z « s. 


Proof. At any z, d'(z) is either —2, —1,1 or 2. If d'{z ) < 0 for z < s with z ~ s, then 
since d aitbl (z) = d(z) for z > s with z ~ s, d ai ^ bl would still be the smallest function 
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for z < s, with z ~ s. But this is a contradiction to [s, /] being the region which either 
d au b] or d a ljbl are the smallest functions over. □ 

Lemma 3.2.3.2. In the case where the intersection point of d aljbl and d a2)b2 when 
d ' a i bl , d' a2 b2 < 0 is when z = s, d satisfies S3 over [s, /]. 


Proof. After d a2:b2 is redefined, d aitbl and d a2jb2 are clearly still the smallest functions 
over [s, /]. Hence we only need to consider the intersection points of d altbl and d a2 ,b 2 
to prove the lemma. By the nature of the functions d 0A bl and d a2tb2 , d ai:bl and d a2tb2 
can have at most one intersection point when both d' b] and d' a2 bo have the same sign. 
Now d ai 5, and d a2jb2 intersect when both have negative gradient when z = s. Hence 
the only z where ri’s gradient changes, but the sign of cfs gradient remains the same 
over [s,/], is when z = s. But Lemma 3 . 2 . 3.1 implies that the gradient of d changes 
from a positive to a negative value when z = s. Hence S3 is satisfied over [s, /]. □ 


As a result, we can conclude x > s, since otherwise S3 would hold over [s, /] when 
d a2: b 2 ( z ) was | C ‘2 — 2z\. Hence the height of the intersection point of d aitbl and d a2 ,b 2 
when both d! bl ,d! b2 < 0 is increased when d a2 ,b 2 is redefined, so the area under d 
over [s, /] is decreased by redefining d a2 ,b 2 in such a way that d satisfies S3 over [s, /]. 
Since the value of d(z) doesn’t increase when d a2tb2 is redefined for 0 < z < s and 
f < z < N, the area under d over all other regions apart from [s, /] does not increase 
when d a2 fi 2 is redefined. Hence the area under d over [0, N ) is decreased by redefining 
d so that S3 is satisfied over [s, /]. 

A very similar argument can show that in the case where there exists a z such that the 
function which is smallest changes from dA lt B 1 to dA 2 ,B 2 at z, and d' Ai R| , dfi 2 Bo > 0, 
then we can redefine dA 2 ,B 2 so that the area under d over [0, N) is decreased and S3 
is satisfied over [S,F] (where S and F are defined such that d equals either dA 1 ,B 1 or 
d a 2 ,b 2 for all 2 with S < z < F). 

Therefore, in every case where there exists z such that the gradient of d changes but 
keeps the same sign at z. we can decrease the area under d over [0, N) by redefining one 
of the functions in {di,i(z), d\ t 2 ( 2 ),..., di^ Pl (z), o? 2 ,i(^),..., d2, P2 (z)}, so that d satisfies S3 
over each of the intervals [s,f] and [S, F]. Hence, in such a case we can decrease the 
area under d while making d satisfy S3 over [0, A") (Prop3). 

By combining Prop1,Prop 2, and Prop 3, we can conclude that in every case where d 
is not a sequence of triangles (so at least one of Si,S2 or S3 doesn’t hold for d), we can 
decrease the area under d by redefining d so that d is a sequence of triangles (so Si ,£2 
and S3 all hold for d on [0, N)). □ 
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Figure 3.1: Diagram of the kind of situation being considered in lemma 3.2.4 


In any five kangaroo method, we are given a set of functions of the same form as 
those in lemma 3.2.3. To minimise the expected number of group operations until the 
closest useful pair collides, we need to minimise the area under d, by choosing the C',; 
and CjS appropriately in functions of the form of lemma 3.2.3. Hence we may assume 
that when the area under d is as small as possible, d will be a sequence of triangles. 
Therefore, since this theorem is stating a lower bound on the expected number of 
group operations until the closest useful pair collides, for the purposes of the proof of 
this theorem, d can be assumed to be a sequence of triangles. 

The following lemma will be useful in finding how small the area under d can be, given 
that d can be assumed to be a sequence of triangles. 

Lemma 3.2.4. Fix n, N G N, and let the gradients G\,G 2 ,--.,G n G R \ {0} be fixed. 
Let R\,R 2 ,■■■,Rn be such that Ri > 0, Ya=\ Ri = AT, an d such that the sum of areas 
of triangles of base Ri and gradient G{ is minimised. Then all triangles have the same 
height. 


Proof of Lemma 3.2.4- I will label the triangles such that the i th triangle (T,) is the 
triangle which has i — 1 triangles to the left of it. Gj. can be considered to be the 
gradient of the slope of Tj, and Ri can be considered to be the size of the region which 
Tj occupies. Also let At be the sum of area under these triangles. A diagram of the 
situation is shown in Figure 3.1. 


j2 R i = N 

i—1 


Then we have 
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and 


A t = Y, 

i =1 


\Gi\.R? 

2 


In the arrangement where the heights of all the triangles are the same, for each 1 < i < 
j < n, Ri/Rj = | G-j | /1 G, |. Suppose we change the ratio of Ri to Rj, so that the new 
Ri is Ri + e, and Rj becomes Rj — e (note that e can be greater than or less than 0). 
Then the area of T* becomes ( Gi(Ri + e) 2 )/2 = (Gi(R 2 + 2P^e + e 2 ))/2 while the area 
of Tj becomes Gj(R 2 — 2 Rje + e 2 )/2. At therefore changes by 


Gj\(Rj + e) 2 \Gj\(Rj-e) 2 \G.\R 2 

2 + 2 2 


2 + 2 


+ \Gi\Rie — \Gj\Rje 


\Gi\R% 

2 


\Gj\R] 

2 

\Gj\R] 

2 



— \G,\R, l € — \Gj\Rje + e 2 — e 2 > 0 


Therefore, adjusting the ratio of the size of any two regions away from that which 
ensures the height of the triangles is the same, always strictly increases the sum of the 
area of the triangles. It follows that when the heights of all the triangles are equal, the 
sum of the area beneath these triangles is minimised. □ 

Lemma 3.2.5. In the case where d is a sequence of triangles, each useful pair is either 
never the closest useful pair, or it is the closest useful pair over a single region. 


Proof. By a useful pair (P) being the closest useful pair only over a single region, I 
mean that there is a single interval [s,f], with 0 < s < f < N, such that P is the 
closest useful pair for all 2 where s < z < f. This is in contrast to there being intervals 
[si, /i], and [s 2 , jg], where 0 < si < f\ < N, and /i < «2 < fi < N, such that P is the 
closest useful pair for all 2 with s\ < z < fu and S 2 < 2 < / 2 , but P is not the closest 
useful pair for all 2 where f\ < z < S 2 - 

The result of this lemma follows easily from the fact that if d is a sequence of triangles, 
then for every 2 where the closest useful pair changes (say from Pi to P 2 ), the gradients 
of the initial distance functions between Pi, and P 2 have opposite sign. □ 


Proof of Theorem 3.2. The lemmas can now be used to prove the theorem. Firstly, 
label all useful pairs in any way from 1 to n, where n is the number of useful pairs of 
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kangaroos in A. Now since d can be assumed to be a a sequence of triangles, lemma 
3.2.5 implies that a useful pair is either never the closest useful pair, or there exists a 
single region for which a useful pair is closest over. For each i, in the case where pair 
i is the closest useful pair over some region, let Ri denote the single region which pair 
i is the closest useful pair over, and Ri s denote the size of Ri. In the case where pair 

1 is never the closest useful pair, define Ri s to be 0. Then Ya =i = N. Letting d t 
denote the distance function between pair i for each i, by Lemma 3.2.2, di(z ) is of the 
form | C ± giZ |, where g t is 1 or 2, and C G M. It is clear from the diagram in section 2.4 
that such functions feature at most two triangles, both of which have slopes of gradient 
with an absolute value of gt. Hence di must feature at most two such triangles over 
Ri. Now for every i, pair i is the closest useful pair over Rj, so d(z) = di(z) \/z G Ri. 
Therefore, d features at most two triangles over Ri, both of which have slopes that 
have a gradient with an absolute value of g{. Therefore, if we let T gi and T g „ denote 
the number of triangles in d where the absolute values of their gradients are 1 and 

2 respectively, T gi < 2 \p gi = 2Nt(Nwi + % 2 ) and T g2 < 2 p g2 = 2 NwiNw 2 ■ Now 

by Lemma 3.2.4, for the area under d to be minimised, all triangles must have the 
same height. This implies that all triangles with the same gradient in d must cover 
a region of the same size. Defining R,t x and Rt 2 to denote the size of the regions 
covered by each triangle of gradients 1 and 2 respectively, Lemma 3.2.4 also implies 
that Rj 1 = 2 Rt 2 ■ Then since all triangles cover the domain of d, N = T gi R Tl + Tg 2 Rt 2 
< 2Nt{Nwi + Nw2)Rt\ + 2N\yiN\y2Rt 2 = 4Nt{Nwi + Nw2)Rt 2 + 2N\yiN\v2Rt 2 - 
Hence Rt 2 > N/{4Nt{Nw\ + N\y 2 ) + 2 .N\yiNw 2 )- Now since all triangles in d have the 
same height, the average of d over all z with 0 < z < N is half the height of all triangles. 
Therefore, since the height of a triangle of gradient 2 is 2 Rt 2 , Rt 2 gives the average of 
d, which is the average distance between the closest useful pair. Then by Lemma 3.2.1, 
the expected number of group operations until the closest useful pair collides in the case 
where the area under d is minimised (and hence the average distance between the closest 
useful pair is minimised) is 10 \JRt 2 > 10 ^/ N / (4Nt(N\vi + Nw 2 ) + 2 Nw\Nw 2 )- □ 


By plugging in various values of Nt , Nyy 1 and N\y 2 into this formula under the 
constraint that Nt + Nw 1 + N\y 2 = 5, we can gather a lower bound on the expected 
number of group operations until the closest useful pair collides, when different numbers 
of each type of walk are used. The following table shows the methods which achieved 
the three best lower bounds. In the table, a tuple of the form (x, y , z ) denotes an 
algorithm that uses x tame kangaroos, y wildI kangaroos, and z wild2 kangaroos. 
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in / N 

Number of walks of each type used 

V ( 4N t (N W i+N W 2)+2N W iN W 2 ) 

1.8898 y/N 

(2,1,2),(2,2,1) 

1.9611\/lV 

(3,1,1) 

2 M12VN 

(1,2,2),(2,0,3),(2,3,0), 

(3, 0,2), (3, 2,0) 


From this, it can be seen that a (2,2,1) 5 kangaroo method has the minimal lower 
bound on the expected number of group operations until the closest useful pair collides, 
of 1.8898 VN group operations. A (2,1,2) method doesn’t need to be considered as a 
separate case, since this is clearly equivalent to a (2,2,1) method. If one starts two 
wildI kangaroos at h and g°' 7124:N h, a wild2 kangaroo at g 135e2N hr 1 , and two tame 
kangaroos at g 0 - 9274N and f/°' 785Ar , the lower bound (2, 2,1) method of 1.8898 \fN group 
operations is realised. The table shows that in any other 5 kangaroo method, the closest 
useful pair can’t collide in less than 1.9611\?N group operations on average. 

Since the closest useful pair of kangaroos is by far the most significant in determining 
the running time of any kangaroo algorithm (for instance, in the 3 kangaroo method 
the expected number of group operations until the closest useful pair collides could be 
as low as 1.8972 \/N group operations, while the expected number of group operations 
until any pair collides can only be as low as 1.818V?V group operations), a method 
that uses 2 tame, 2 wildI, and 1 wild2 kangaroos is most likely to be the optimal 5 
kangaroo method, out of all methods that only use tame, wildI, and wild2 kangaroos. 


3.3 Where the Kangaroos should start their walks, and 
what average step size should be used? 


Given that, in any 5 kangaroo method that uses only tame, wildI, and wild2 kan¬ 
garoos one should use 2 wildI, 1 wild2, and 2 tame kangaroos, the next question to 
consider is where abouts the kangaroos should start their walks. In the analysis that 
answers this question, the question of what average step size to use will be answered 
also. I will now state some definitions and remarks that will be used throughout the 
remainder of this thesis. 


zN 

5 


Remark 1: Firstly, I will redefine the IDLP to be to find z, given h = g 
when we’re given g and h, and that 0 < z < 1. 
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• Remark 2: At this stage, I will place one constraint on the starting positions 
of all kangaroos. This being, that all Wild1,Wild2, and Tame kangaroos will 
respectively start their walks at positions of the form aN + zN, bN — zN, and 
cN, for universal constants a,b, and c, that are independent of the interval size 
N. This is the only constraint I will place on the starting positions at this stage. 

• Remark 3: I will let Di^ z denote the initial distance between the i th closest 
useful pair of kangaroos for some specified z. It follows from Remark 2 that 
Di, z = di' Z N, for some di, z independent of N. 

• Remark 4: The average step size m will be defined to be c m \/N , for some c m 
independent of N. 

• Remark 5: Si Z will be defined such that Si Z denotes the expected number 
of steps the back kangaroo requires to catch up to the front kangaroo’s starting 
position in the i th closest useful pair, for some specified z. It is clear that S^ z = 
|~ —Since -D ; >2 = di }Z N , and m = c m y/N for some di jZ , and c m which are 
independent of N, we can say Si jZ = |"sj )Z \/lV] for some Si tZ independent of N. 
For the typical interval sizes over which one uses kangaroo methods to solve the 
IDLP (TV > 2 30 ), this can be considered to be Si tZ \/N. 

• Remark 6 : C hZ and will be defined such that C hZ = Yl )=l Si,z, and 

c i, z V TV = Ci Z . One can see from the definition of Si tZ that is independent of 
the interval size TV. 


I will answer the question that titles this section by first presenting a formula that 
can compute the running time of any (2,2,1) 5-kangaroo algorithm (see section 3.3.1), 
and then by showing how this formula can be used to find the best starting positions 
and average step size to use (see section 3.3.2). 
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3.3.1 Formula for computing the running time of a (2,2,l)-5 kangaroo 
algorithm 

Theorem 3.3.1. In any 5 kangaroo method which uses 2 tame, 1 wild2, and 2 
wildI kangaroos, the expected number of group operations required to solve the IDLP 
is approximately 

5 ((/q 1 c z dz}j + o(l)) VN + 0(log(N)), where 


i - iH , z + Cj , z ) Cm - i*i + l , z + H,z r 

/, I ^ cm (— + Si , z ) — e c ™ (— + Sj+l,z) 

I * 


Cz = y^ I e 


Proof. Any 5 kangaroo method can be broken into the following 4 disjoint stages; 


• Stage 1- The stage where the algorithm is initialised. This involves comput¬ 
ing the starting positions of the kangaroos, assigning a step size to each group 
element, and computing and storing the group elements which kangaroos are 
multiplied by at each step (so computing g H ( x l for each x in G ). 

• Stage 2- The period between when the kangaroos start their walks, and the first 
collision between a useful pair occurs. 

• Stage 3- The period between when the first collision occurs, and when both 
kangaroos have visited the same distinguished point. 

• Stage 4- The stage where z is computed, using the information gained from a 
useful collision. 


3.3.1.1 Number of group operations required in Stage 1 


To find the starting positions of the kangaroos, we require one inversion (to find the 
starting position of the kangaroo of type wild2), 3 multiplications (in finding the 
starting positions of all wild kangaroos), and 5 exponentiations (one to find the start¬ 
ing position of each kangaroo). All of these operations are 0(log(N)) in any group. 
As explained in [ 8 ], the step sizes can be assigned in 0(log(iV)) time also using a hash 
function. To pre-compute the group elements which kangaroos can be multiplied by at 
each step, we need to compute g s , for each step size s that can be assigned to a group 
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element (this is the number of values which the function H can take). The number 
of step sizes used in kangaroo methods is generally between 20 and 100. This was 
suggested by Pollard in [8]. Applying less than a constant number (100) of exponen¬ 
tiation operations requires a constant number of group operations (so independent of 
the interval size). 

Summing together the number of group operations required by each part of Stage 1, 
we see that the number of group operations required in Stage 1 is 0(log(N)). 


3.3.1.2 Number of group operations required in Stage 2 

To analyse the number of group operations required in stage 2, I will define Z(z) to 
be a random variable on N such that Pr (Z(z) = k) denotes the probability that for 
some specified z, the first collision occurs after k steps. From this, one can see that 
E (Z(z)) = J2kLo k P r (Z( z ) = k), gives the expected number of steps until the first 
collision occurs, at our specified z. 


Important Remark 


To compute E (Z(z)), I will compute the expected number of steps until the first useful 
collision occurs in the case where in every useful pair of kangaroos, the back kangaroo 
takes the expected number of steps to catch up to the front kangaroos starting position, 
and make the assumption that this is proportional to the expected number of steps until 
the first useful collision occurs across all possible random walks. This assumption was 
used implicitly in computing the running time of the three kangaroo method in [3], 
and is a necessary assumption to make, since calculating the expected number of steps 
until the first useful collision occurs across all possible walks is extremely difficult. 

The following lemma will be useful in computing E (Z(z)). 

Lemma 3.3.1. In the case where in every useful pair of kangaroos, the back kangaroo 
takes the expected number of steps to catch up to the starting position of the front 

/ n / s //is 1 —ik — i+C^ z+j 

kangaroo, for every k, Pr (Z(z) = k) = J2 where i is the number of 

i =i J m 

pairs of kangaroos for which the back kangaroo has caught up to the front after k steps. 


Proof. Let k G N, and i be such that S t (z) <k< 5,: + i(z). In the case where in every 
pair of kangaroos, the back kangaroo takes the expected number of steps to catch up 
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to the starting position of the front kangaroo, when Si(z) < k < Sj+i(z), there will be 
exactly i pairs where the back kangaroo will be walking over a region that has been 
traversed by the front kangaroo (these will be the i closest useful pairs). Therefore, 
exactly i pairs can collide after k steps, for all Si(z) < k < Si+i(z). In order for the first 
collision to occur after exactly k steps, we require that the i pairs that can collide avoid 
each other for the first A: — 1 steps, and then on the k th step, j pairs collide for some j 
between 1 and i. I will define E^j to be the event that there are no collisions in the first 

k — 1 steps, and then on the k th step, exactly j pairs collide. Since E^j and E^j are 

i 

disjoint events for j / l, we can conclude that Pr (Z(z) = k) = J2 (1)- Now 

3 = 1 2 

Pr (Ekj) can be computed as follows; In any instance where Ekj occurs, we can define 
sets X and Y such that X is the set of all x where the x th closest useful pair of kangaroos 
doesn’t collide in the first k — 1) steps, but does collide on the k th step, and Y is the set 
of all y where the y th closest useful pair doesn’t collide in the first k steps. Now in Stage 
2 of the van Oorshot and Weiner method, I explained how at any step, the probability 
that a pair collides once the back kangaroo has caught up to the path of the front is 
1/m. Hence for any x E X, the probability that the back kangaroo in the x th closest 
useful pair avoids the path of the front kangaroo for the first k — 1 steps, but lands on 

* 7 -1 -i . ? o 1 ^ j z 

an element in the front kangaroos walk on the k step is — (1 — —)« j-e m , 

while for any y E Y, the probability that the y th closest useful pair doesn’t collide 

in the first k steps is (1 — —) K+L ~ tiy ’ z ~ e rri . Now before any collisions have 

taken place, the walks of any 2 pairs of kangaroos are independent of each other. 
Therefore, the probability that the pairs in X all first collide on the k th step, while 

i — k+S x ,z ~ k — 1+Sy^z 

all the pairs in Y don’t collide in the first k steps is Ila-ex m e Y\ v &y e 

1 - jk + E xe X S *’* -n-J)fc-(-J) + E wey g O^ , at . n t 

= me rn = — T e m . JN o w since there are . 

m3 m3 \j/ 

ways for j out of the i possible pairs to collide on the k th step, we obtain the formula 

— ik—i-\-j-\-Ci z 

P(Ekj) = Q)~je ™ When substituting this result back into (1), we obtain 

— ik— i+i+Cj z 

the required result of Pr (Z(z) = k) = Y?j =l (j)^J e ”* ~ □ 


I will now define p z to be the function such that p z (k ) = kPv(Z(z) = k), for all 
k G N. Hence E (Z(z)) = Y^T=o 'Pz{k). Now in a 5 kangaroo method that uses 2 Tame, 

2 WildI, and 1 Wild2 walks, there there are 8 pairs that can collide to yield a useful 
collision (4 Tame/WildI pairs, 2 Tame/Wild2 pairs, and 2 Wild1/Wild2 pairs). 
Hence for any k, the number of pairs where the back kangaroo has caught up to the 
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front kangaroos starting position can be anywhere between 0 and 8. Therefore, 


Pz(k) = < 


0 




-k + C i, z 


-2k-l+C 2 . 


-2k+C 2 


.^ — 3 fc—3+J+C3 z 


4^ 4 - 4 fc- 4 +j+C 4i . 


J=1 

5 - 5 fc - 5 +^+ c 5 ,, 

J=1 

6 -Cfc- 6 +j + C 6i . 
J=1 

7 ,7s ! -7fc-7+i + C 7j2 

—-— 
3 =1 

8 , Qs — 8fc —8+J+C3 z 

E/'()s»-”- 

3 = 1 


1 < A < Si i2 
*9i, z < A < 5 2 ,z 
) S 2 , z <k<S 3tZ 
S3,z <k< 5 4 , 2 

&U < k < S 5 , z 

*95,2 < k < *9 6)Z 

*V < ^’ < *97,2 

* 97,2 < k < Ss, z 

*98,2 < A < 00 


For the rest of this thesis, I will consider p z as a continuous function. The following 
result will be useful in computing E(Z(z)). 

Theorem 3.3.1.1. ff° p z (k)dk — 0(1) < E (Z(z)) < p z (k)dk + 0(1). 


Proof. The proof of this will use the following lemma. 
Lemma 3.3.2. p z (k) is 0(1) VA 


Proof. Let 0 < z < 1. Then V A < S\ tZ , p z (k ) = 0, while V A > Si ;Z , p z (k) = 

A Yjj=i (*■) < 77 “, for some 1 < i < 8. Hence for the purposes of the proof 

of this lemma, we can assume A > Si tZ . I will state some facts that will make the 
argument of this proof flow more smoothly. 

_ — ik—i+j+Ci jZ 

Fact 1: For A such that 5 7j2 < A < Si + \ iZ , e ™ < 1. 

This holds because since A > Sj i2 , ik > iSi tZ > 1 &j,z = Ci tZ . Also, i > j. Hence 

—ik—i+j+Ciz 

—ik — i + j + Oj )2 < 0, and e ™ ’ < 1. 

Fact 2: No useful pair of kangaroos can start their walks further than a distance 
of 6 N apart on an interval of size N. Also, the average step size is at least O.OGGDTv/AA 
Both of these facts will be explained in ’Remark regarding Lemma 3.3.2’ on Page 44. 
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Fact 3: The interval size can be assumed to be greater than 2 30 . This was 

explained in the introduction, and can be assumed because one would typically use 
baby-step giant-step algorithms to solve the IDLP on intervals of size smaller than 2 30 . 


I will show that p z (k) is 0(1) for two separate cases. 


Case 1: The case where S 8tz < m/8. 

First, consider the situation in this case where Si z < k < m/8. Let i be such that Si_ z < 
k < Si + i jZ . Then by Fact 1, Fact 2, Fact 3, and the condition that k < m/8, p z (k) = 

j — ik — i+j+Cj 2 ... m . . 

E5-. Qw e ” " £ E5-. G>& £ Eh. <5>*S E5-. (j) a( o. OS69 rV 2 »).- - whidl 

is clearly 0(1). 

Now consider the case where k > m/8. Then since Ss, z < m/8, k > S 8jz . Hence 




— 8/c — 8+j+Cg ?2 


Hence 


■‘i 

dpz(k) _ 


dk 


= (zu §> 


-8k — 8+j+Cg, z 


^1 — This is less than 0 for k > m/ 8 . 


Hence V k > m/ 8 , p z {k ) < p z (m/ 8 ). Since p z (m/ 8) is 0(1), p z {k) is 0(1) for k > m/ 8 . 


Case 2: The case where S 8tZ > m/ 8 . First, consider the situation where 

Si tZ < k < S 8>z . Let i be such that Sj iZ < k < Si+ i iZ Now Fact 3 and Remark 5 (see 
Page 29) imply that S 8 , z < 0 06697 ^ < 90 VN. Hence k < 90v/lV. Therefore, p z (k ) = 

. • . — Ik — i “I - CD~ ~ ... . . / 

AN k -—-— yM /U k y-n /z\ 90y N y (i\ _90_ 

^3 =1 \j> mi m — ^j =1 \j> mi — ^j= 1 \j'/ — N,j=l \j) 0.06697^(0.06697 

< ( 1 ) 0^97 + D?= 2 o( 1 )» w hich is 0(1). 

Now when k > S 8 , z , = (l2j=i (j)pl e ™ ~) (! - “)• Since k > S 8 , z > 

m/ 8 , < 0 V k > S 8 , z . Therefore, p z (k) < p z (S 8 , z ) Vfc > Sg,*- Since p z {S 8jZ ) is 

0(1), p z (k) is 0(1) V k > S 8 , z . 


□ 


I will now prove the theorem by approximating the sum of p z (k ) over all k E N to the 
integral of p z (k), over each interval [S/ z , S'i+i^). On the interval [l,<Si )Z ), p z (k) = 0, 
so X)fc=i Pz(k) = J] p z {k)dk (2). Hence for the rest of the proof I will consider 
p z (k) on intervals [<S/ Z , <Si+i,z), where i > 1. Now let pi )Z be the function such that 

— ik—i+j+Ci 2 

Pi,z{k ) = kJ2j =1 i])pj e ™ ^ (so Pi, z {k) = p z (k) k G [S ijZ , S i+ i jZ )). Now by 

differentiating p ijZ , we obtain = ( E/=i Q) e m “ J (l - ^J. Hence p i:Z 
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has a single turning point (at k = ™). Since p z (k) = Pi, z (k) for some i for every i > 1, 
on each interval [Si }Z , Si + i tZ ), p z is either only decreasing, only increasing, or 3 a t such 
that V k < t, p z is increasing, and V k > t, p z is decreasing. 

In the case where p z is only decreasing on an interval [Si tZ , Si + i jZ ), by applying the 
integral test for convergence, we can conclude that fg l+1 ’ z p z ( r )d r < J2k=s’ Z 1 Pz(k) < 
fs^ 1 ” p z (r)dr + p z (Si !Z ) (3), while if p z is only increasing on [S i}Z , 5 i+ i jZ ), p z (r)dr- 

Pz{Sz, z ) < E£ ts’i'pzik) < itsCM^dr ( 4 ). 


Now consider p z on intervals of the form [Si :Z , Si+ i iZ ), where there exists a turning 
point t such that V k < t, p z is increasing, while V k > t, p z is decreasing (see figure 
3.3(a)). Let j be defined such that j = max{m £ N|n < i — 1}. Then by applying the 
integral for convergence test to the intervals [Si tZ ,j + 1], and \j + 2, £j+i iZ ], one can see 
that E {tl^Pzik) > fk=s iit Pz(r)dr and E^f+^Pzik 0 > Pz(r)dr. Therefore, 

Pz( k ) + Sj+i Pz( r )dr > Is'* 1 ’* p z (r)dr. Now p z (r)dr = Ave{p z (r)\j +1 < 

O'. 

r < j + 2}, which is 0(1) since all p z (k ) are 0(1). Hence p z (r)dr — 0(1) < 

e; s^pzik) (5). 

Now the integral for convergence test, applied again to the intervals [<Si, 2 ,j + 1], 
and [j + 2,Sj +M ] implies that E l=s i:Z Pz( k ) < fs+ z Pz(f)dr, and Efc=/+3 _1 P*( k ) < 
ff+2 hz Pz(r)dr. Also, it is clear that p z (j + 1) + p z (j + 2) < p z (j + 1) + p z (j + 
2) + //+ 2 p z (r)dr. Hence, E { =SiiZ Pz( k ) + Pz(j + 1) + Pz(j + 2) + E?=/+ 3 _1 P*( fe ) < 
C p z (r)dr + Sji:l Pz{r)dr + Jj +2 I z Pz{r)dr. Therefore, since p z (j + 1) and p z (j + 2) 
are 0(1), E P( k ) < fs^’* Pz(r)dr + 0(1) (6). 
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From (2),(3),(4), (5), cincl (6), wg Ccin sgg thcit for cill intervals \S^zi Si-\~\,z 


8i+l,z g i+iz 

p z (r)dr - 0(1) < Y Pz(k)<l__ p z (r)dr + 0{ 1) 


I Si 


Therefore, we obtain the required result of 


'Si. 


roo 00 roo 

/ p z (k)dk-0 {l)<YPz{k) = E{Z{ z ))< p z (k)dk + 0{ 1) 
Jl k=i Jl 


□ 


Hence for large interval sizes N, p z {k)dk approximates the expected number of 
steps until the first collision very well. The following lemma will make the computing 
of p z (k)dk far more achievable. 

C. • — ifc+C^ 2 — i+j 

Lemma 3.3.3. Vi, j where 1 < i < 8, and j > 2, k{j)^j e ™ is 0(1). 


-~ik+C itZ -i+j 

Proof. The integral of k (*.) ^e ™ with respect to k is 

— ik+C^ z —i+j 

(j)(ik + m)e m 
i 2 rrP~ l 

Q . —ik+Cj z —i+j 

SO fSi,T’ Z k 0 mJ e ™ dk is 

/ — iS i,z+ c i,z -i+3 - iS i+l,z+ c i,z ~*+J 

( e rn ( iSi :Z Am) — e ™ (i<Si+i,z + m) 



(7) 


Now in the proof of Lemma 3.3.2, I showed that e 

(j)(Si, z +m) 


~ iS i,z+ C i.z—i+j 


< 1. HcncG (7) is less 


than 


i 2 m,j— 1 


In the proof of the same lemma , I also showed that Si Z < 90 y/N, 

□ 


and Cm < 0.06697 +N. Hence ’ which is °( 1 ) for 3 - 2 ‘ 


Therefore, from the formulas at the top of page 33, we see that 


p z (k)dk = Y 


i= 1 



ik -jk+Cj'.-i+i 

—e m 

m 


+ 0 ( 1 ) 


( 8 ). 
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q. — ik-\-Ci z — i -\-1 

Now each Ja ‘ +1 ’ z ^e ™ is 

J di.z HI 


-i'S i .,,+C. i , 3 -i+ 1 m ~ iS i+l,s+ c i,t -*+! m 

e m (— + Si tZ ) — e rn (— + *S'j +1)2 ) 


Substituting this into (8), we obtain 


f°° , \ ( ~ iS i,z+ c i,z - i + 1 / rn . ,yn \ 

J i p z (k)dk = Y^[e m (y + Si, 2 )-e - (y + £i+i,z)J + 0(1) 

Now since U,; )Z = <Sj>, U,; )Z can be expressed as Ci yZ yfN, for some Cj )Z independent 

of N. Hence 


»—, / ~ iS i,z+ C i,z ~ i + 1 777, _iS i+l,z+ C 'i,z _i + 1 in 

E( e m (— + Si, z ) — e ™ (— + <5j+i z ) 


(~ is i,z+ c i,z)TN-i+ 1 (-is, i x ,+Cj z )VBf-i+l 

-^-/ ( -m. \ /TT -m 


.W (— +s ijZ )VN- 

i 


* / 


/ ( ^ s i,z~^ c i,z) 


( u m x -i+1,2: C M C m \ 

(— + Si,z)-e c ™ (—+ Sj+i, z ) ViV 


= E 


= E' 


Now for the typical interval sizes over which one uses kangaroo methods to solve the 
IDLP (N > 2 30 ), e~m is extremely close to 1. Hence we can safely ignore the e ™ term 

—i+l 

in (9). I will state how large the approximation error due to ignoring this e ™ term 
is when I present my final kangaroo algorithm in section 3.4. Therefore, if we define c z 

/ ~ i;3 i. + l,z+ c i.,z \ 

to be J2i=i ( e Cm (ir + Sj^-e (^f + Sj+i,z) , we have p z (k)dk- 


0(1) = c z \/N. Using the result from Theorem 3.3.1.1, we can conclude that 

E(Z(z)) = c z VN ± 0(1) ( 10 ) 

Hence the expected number of steps until the first collision over all instances of the 
IDLP (i.e. over all z with 0 < z < N) is 

E(Z) = cVN ± 0(1) ( 11 ) 

where c = Ave{c z |0 < z < 1} = Jq c z dz. Now since at each step, each of the 5 kangaroos 
make one jump, the expected number of group operations until the first collision occurs 
across all z is 

5 c z dz^j ± 0 ( 1 ) ( 12 ) 
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3.3.1.3 Number of group operations required in Stage 3 


From the analysis provided in [3], if one sets the probability that a group element is 
distinguished to be c\og(N)\/JSf , for some constant c > 0, the expected number of 
group operations required in stage 3 is \fN /clog(lV) = o(l)y/N. 


3.3.1.4 Number of Group operations required in Stage 4 


The kangaroos used in a 2 tame, 2 wildI, and 1 wild2 kangaroo method are of the 
same type as those used in the three kangaroo method. I explained how one may find 
z from a collision between any of these types of kangaroos when I described the three 
kangaroo method. In any case, at most 3 addition or subtraction operations modulo 
|(/|, while in the case where a WildI and a Wild2 kangaroo collides, we are required 
to find 2 _1 (mod \g\ ). Hence the number of group operations required in this stage is 
0 ( 1 ). 

Now by summing the number of group operations required in stages 1,2,3 and 4, 
we obtain the required result that the expected number of group operations required 
to solve the IDLP by any 2 tame, 2 wildI, and 1 wild2 kangaroo method, is approx¬ 
imately 5 ^/q 1 c z dzj + o(l)) y/N + 0(log(IV)). □ 


3.3.2 Finding a good assignment of starting positions, and average 
step size 

In this subsection, I will use the formula presented in Theorem 3.3.1 to find the best 
choice of starting positions and average step size that I could possibly find. 

The process I will use to do this will be to first state how the formula of Theorem 3.3.1 
can be used compute the running time of an algorithm with particular starting positions 
and average step size (see Algorithm 1), and then to iterate through various possible 
starting positions and average step sizes, to find which one minimises the running time. 
For this purpose, I will define a,b,c,ti, and t 2 to be universal constants independent of 
the interval size N, such that on an interval of size N, the 2 WildI kangaroos start 
their walks at the positions aN + zN and cN + zN, the Wild2 kangaroo starts his 
walk at bN — zN, and the 2 Tame kangaroos start their walks at t± and t. 2 - 


One can see from the formula of Theorem 3.3.1, that finding the running time of 
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any 5 kangaroo method requires finding Jq c z dz. Now calculating c z at any z requires 
finding Si )Z V i with 1 < i < 8. The most rigorous approach to finding the average 
of c z would be to find a formula for each Si, z across all z, and to plug this into the 
formula for c z , and then integrate this across all z. Finding a direct formula for each 
Si iZ that holds for all possible choices for the starting positions and the average step size 
proved to be too difficult. I therefore proposed the following simulation based approach 
for computing Jq c z dz. This is how the CC>mputeaveragec 2 function of Algorithm 1 
computes Jq c z dz. 

At a particular z, Si, z can be computed by finding the starting positions of all kangaroos 
on an interval of size N = 1 (this means computing aN+zN = a + z, b — z, c+z, t\ and 
t 2 ), and then finding the distances between all useful pairs when the kangaroos start 
at these positions. By then ranking these distances in the manner done in line 5 of 
Algorithm 1, one can find D lz for each i between 1 and 8, for an interval of size N = 1. 
One can then find s^ z using D t z /rn = di )Z N / c m \jN = Si, z \jN = Si jZ . Following this, 
we can compute all Cj j2 , using Cj )2 = J2j =i s j,z■ Hence we have all the information we 
need to compute c z . By finding the average of c z for a large number of evenly spaced 
z in [0,1) (so for instance, computing c z for all z in {z\z = 10 ~ p k, k G N, 0 < z < 1}, 
with p > 3), we can approximate Jq c z dz. The pseudocode for the matlab® function 
to compute c z is shown in Algorithm 1. 


Algorithm 1 Function for finding the average of c z 
1: function COMPUTEAVERAGEC 2 (a,6,C,ti,t 2 ,C m ,p) 

2 : Z i - 0 

3: sumofc 2 i — 0 

4: while z < 1 do 

5: distancesarray sort( 

{ |(a + z) - , |(6 - z) - ti| , | (c + z) - ti| , |(a + z) - t 2 | 

|(6 — z) - f 2 |, |(c+ z) — t 2 |, |(a + z) — (6 — z)|, \(c + z) — (6 — z)\ }) 
6: for i •(— 1 to 8 do 

7: Sj )2 <— distancesarray [z] / c rn 

8 : Ci,z Y^j =1 s j,z 


9: 

10 : 

11 : 

12 : 


Cz±- Ei=l e Cm (^f +Si, z )-e era ( C f + .S','| lx) 


sumofc 2 •(— sumofc 2 + c z 
z <- z+ 10“ p 
return sumofc 2 /(10 p ) 


Therefore, if we let O p t denote the output of this function on some specified combi¬ 
nation of starting positions and average step size (i.e. values of a,6,c,ti,t 2 and c m ), then 
from (11), the expected number of steps until the first collision occurs for this combi- 
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nation is O p t\fN ± 0(1) (13). Also, from the formula of theorem 3.3.1, the expected 
number of group operations required to solve the IDLP for our specified combination 
of starting positions and average step size is approximately (5 O p t + o(l)) y/~N ± 0(1) 
(14). I will state how large the error of this approximation is when I present my five 
kangaroo algorithm in section 3.4. 

Therefore, if we let a lopt .b op t,c op t,t\ opt ,O opt , and c mopt respectively denote the best 
values for a,b,c,ti,t 2 and c m , then a 0p t,b 0p t,c 0p t,ti opt ,t 2 opt , and c mopt are the values of 
a,b,c,ti,t 2 and c m for which the output of the COMPUTEAVERAGEc^ function is smallest. 

This fact gives rise the to the following algorithm for finding good values for 
a,b,c,ti,t 2 , and c m . The pseudocode for this algorithm is shown in Algorithm 2. The 
idea of the algorithm was to start with a range of values for which the optimal val¬ 
ues of a,b,c,ti,t 2 , and c m lay in. These ranges would be encapsulated in the variables 
a mini a maxfiminibmaxi c mini c maxit\ rn i n it\max-it2 rn i n femax ,C mmin and C mmax , SO we would 
have CLmin S Oj 0 pt Si Umax • b m in S b op t. S b lna x - C m in S Copt S Cmaxi t 1 rn j /n S t 1 opt S maxi 

t 2min < t 2opt < t 2max . I was unable to prove a range of values for which a 0 p t,b 0 pt,c 0 pt, 
h op t^ 2 opt , and c mopt were guaranteed to lie in, but in (A),(B),(C),(D) and (E) 
(which can be found below), I state and justify some ranges for which a 0p t,& 0p i,c 0 .pi, 
ti opt ,t 2opt , and c mopt are likely to lie in. Using the SCANREGION function, I would 
then find good values for b,c,ti,t 2 and c m (by (A), a can be fixed at 0) by computing 
average^ for evenly spaced (separated by the amount defined by the variable ’gap’ in 
Algorithm 2) values of b,c,ti,t 2 , and c m , between the ranges defined by the variables 
bmin i bmax i Cmin i Cmax i hrnin^ma.MrniuMm^Nrnmin and c mrnax (see lines 3-10). The vari¬ 
ables Best6,Bestc, Best#i, Bestt 2 , and Bestc m would represent the values of b,c,t\,t 2 
and c m for which averagec- was smallest, across all combinations for which averages 
was computed for (this is carried out in lines 9-18). 

We could then find better values for b,c,ti,t 2 and c m than Best6, Bestc, Bestir, Bestf 2 , 
and Bestc m , by running the SCANREGION function on values of b,c,ti,t 2 and c m in a 
smaller region centred around Best6, Bestc, Bestir, Besti 2 , and Bestc m (see lines 25-28), 
that are separated by a smaller gap (see line 29). By repeating this process multiple 
times (see lines 24-31), we could keep finding better and better values for b,c,ti,t 2 and 
c m - Eventually however, the interval for which the SCANREGION function was called on 
would shrink to be zero in size. At this point, the the improvements in the best values 
for b,c,ti,t 2 and c m between iterations would become negligible. Line 24 determines 
when this occurs. 

The algorithm then computes Averagec^ to a higher degree of accuracy for the optimal 
values of b,c,ti,t 2 and c m (see line 32). It does this by setting the variable p in the 
Computeaveragec^ function to be 6 (p was set to 3 the main loop (see line 10), due 
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to reasons relating to the practicality of the running time of Algorithm 2). 


Estimates of initial bounds for the optimal values of a,b,c,t\,t 2 and c m 


(A). 

Vo'pt 

= 0 

(B). 

-1 

2 " 

— h ■ <? h < h _ 5 

— u min u opt — u max — 2 

(C). 

0 = 

Cmin — C-opt — Cmax — CLTld C ^ CL 

(D). 

-2 : 

opt — ^2 0 pt — r 

(E). 

0.06697 < c mopt < 0.5330 


Justification of (A). Suppose we start our kangaroos walks at N(d + z),N(b + d — 
z),N(c + d + z),N(ti + d), and AT(f 2 + d), where del. Then for all z, one can see 
that the starting distances between all pairs of kangaroos is the same in this case as 
when the kangaroos start their walks at IV(0 + z),N(b — z),N(c+ z),t\N and t 2 N (that 
is, if we subtract dN from all kangaroos starting positions). Hence if we use the same 
average step size in both cases, the running time in both algorithms will be the same. 
Hence for any algorithm where a > 0, there exists an algorithm where a = 0 which has 
the same running time. Hence we only need to check the case where a = 0, so we can 
claim that a op t = 0 □ 


Justification of (B). The bound presented here is very loose. If b—a > 2.5, or 6 < a— 0.5 
then V z, on an interval of size N, the initial distance between the kangaroos that start 
their walks at a + z and b — z is at least N/2 (when z = 0, |(a + z) — (—0.5 — z) | = 0.5, 
and when z = 1, |(a + z) — (2.5 — z)\ = 0.5). Now in the three kangaroo method, on 
an interval of size N, the furthest the initial distance between the closest useful pair 
of kangaroos could be across all z was N/5 (this occurred when z was 0, 2N/5, 37V/5 
and N). Now in a good five kangaroo method, since there are more kangaroos (than in 
a three kangaroo method), we can expect to the furthest initial distance between the 
closest useful pair of kangaroos across all z to be smaller than N/5. Hence if a pair of 
kangaroos in a five kangaroo method always starts their walks at least distance N/2 
apart, such a pair is highly unlikely to ever collide before the closest useful pair collides, 
at any z, and will therefore be extremely unlikely to ever be the pair which collides 
first. In a good 5 kangaroo algorithm, it would be natural to suppose that every useful 
pair of kangaroos can be the pair whose collision leads to the solving of the IDLP (i.e. 
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Algorithm 2 


1 

2 

3 

4 

5 

6 
7: 
8 
9 

10 

11 

12 

13 

14 

15 

16 
17: 
18 

19 

20 

21 

22 

23 

24 

25 

26 
27: 
28 

29 

30 

31 


function SCANREGION(6 m j n ,6. 


maxi'-'mtni'-'maxi u Imin )4 max 


^1 min 5^1 max 5^2^ 


1"> ^max ^'THmax "> 


gap) 


minaveragecz <— oo 

bvalues = H - ^ X G N, brain ^ bmin ~\~ k X gap ^ ^max} 

Cvalues = {^min + X G N, C m i n ^ Crain k X gap ^ Cma#} 

ti , = {ti . + x gapl/c GN.ti • < ii . + /c x qav < t\ j 

L values L L m%n 1 rr 1 ' ^5 L rmn — J-min 1 j -c — J-max J 

^values = {hmin + kx gap\k eN, t 2min < t 2min + k x gap < t 2ma J 

c m values = {c mmin + k x gap\k G N, c mmiri < c mmin + A: x £fap < c mma J 
Combinations = b va i U es x c va i U es x ti , x t 2 , x c m . 
for each {6, c, ti, t 2 , c m } £ Combinations do 

averagec 2 = GOMPUTEAVERAGEc 2 (0,6,c,ti,t2,c m ,3) 
if averagec 2 < minaveragec 2 then 
minaveragec 2 4— averagec 2 
Bestfe <— b 
•*— c 
t— ti 
t— t 2 

Cm 


Bestc 

Bestti 

Bestt2 

Bestc m 


ret urn minaveragec 2 , Best b, Best c, Bestti, Bestt 2 , Bestir: 


< 5/2, c m j 

0.06697,c„ 


0, Crnax t- 

- 0.5330 


3,*i„ 


brain i 1/2, b ma 

^2 rnax ^ ^^NtTlmin 

gap = 2 x 10~ 2 
PreviousBestAveragec 2 <— oo 
[CurrentBestAveragec z ,Bestfe,Bestc,Bestti ,Bestt 2 ,Bestc. 

GION {bminybmaxNmimCmax1 1 m/a /l m oi *t2 mJn 3'2. -,C m „,„.„ ,C 


*2„ 


-2,t. 


m 


SCANRE- 


max l^rn rn i rl ,'~-mm a ,x >g a P) 

“ 4 do 


Bestc - gap, 

- Bestt 2 + gap, 


while PreviousBestAveragec 2 
brain t- Best6 - gap, 6 maa , f 
Cmax t- Bestc + gap, tl min 
<- Bestti + gap,t 2mi „ 

Cm roj „ «- Bestc m - gap, c mri 
gap £- gap/10 

PreviousBestAveragec 2 •(— CurrentBestAveragec 2 
[CurrentBestAveragec 2 ,Best6,Bestc,Bestti,Bestt 2 ,Bestc m ] 

^min "> u ^max > On rai „ , ^m,max 1 g a P) 


CurrentBestAveragec 2 <10 
Best6 + gap, c mm 
(— Bestti - gap, 
t- Bestt 2 - gap,t 2mo 
e- Bestc m + gap 


SCANREGION(& m j n ,6 ma3 ,,C m i n ,C ma3 , ,t ] ./ j max ,t 2m , /rl 3'2 rr — ,C™ • Cr 


32: AccurateAveragec 2 = computeaveragec 2 (0, Best6,Bestc,Bestti,Bestt 2 ,Bestc m , 6) 
33: return AccurateAveragec 2 ,Bestfr,Bestc,Bestti,Bestt 2 ,Bestc TO 
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can collide first), at some z. Hence it is not desirable for there to be a useful pair which 
always starts its walk at least distance of 0.51V apart on an interval of size N. □ 


Justification of (C). Firstly let W\ , i denote the kangaroo that starts its walk at N(a + 
z ), and Wi t 2 denote the kangaroo that starts at N(c + z). Since these kangaroos are 
of the same types (they’re both WildI kangaroos), if we fix c,t\,t 2 and c m , then an 
algorithm where W 1,1 starts at a + z and W\ 2 starts at c+ z, has the same running 
time as an algorithm where Wi 1 starts at c + z and W 12 starts at a + z, since the 2 
WildI walks that start at the same positions in both cases. Hence c op t > a op t = 0. 
Now c op t < 3, since if c > 3, then on an interval of size N, the distance between the 
kangaroos that start their walks at lV(c + z ) and N(b — z) can never be less than N/2. 
I gave evidence that this was not desirable in my justification of (B). Hence we may 
suppose that 0 < c op t < 3. 


□ 


Justification of (D). Firstly, we only need to check values where t 2 opt > t\ t , because 
one can show in a similar way to the one shown in proving c op t > a op t, that for every case 
where t 2 < t,\ , there exists an algorithm with the same running time where t\ < t^. 
Now —2 < t±,t 2 < 9/2, since if t\ and t 2 are outside this range, then the starting 
distance between any wild kangaroo and any of the tame kangaroos on an interval of 
size N is at least N/2. 


□ 


Justification of (E). I stated in Section 3.2 that by starting the kangaroos walks at h, 
g0.ii24iv^ gi.3562iV^-i^ f o.9274Ar an( j g0.785N ^ i ower bound for the expected number 

of group operations until the closest useful pair collides (.Ecp) of 1.8898 VN group 
operations could be realised. Using Lemma 3.2.1 in the proof of Theorem 3.2, the 
average distance between the closest useful pair across all z when Ecp = 1.8898 y/~N 
group operations is 0.03571V. In the proof of the same lemma, I also showed that 
Ecp = 5(A ve(d(z))/m + m), where A ve(d(z)) denotes the average distance between 
the closest useful pair of kangaroos over all z. Hence A ve(d(z)) > 0.03571V in any 5 
kangaroo algorithm. Therefore, Eqp > 5( om57N /c m VN + c m y/N). One could suppose 
that there must be some bound B, such that if the expected number of group operations 
for the closest useful pair to collide in some algorithm is larger than B, then this 
algorithm could have no chance of being the optimal 5 kangaroo algorithm. A very loose 
bound on B is 3\/N. For Ecp < 3 VN, we require 5(0.03571V/c m v / iV +c m y/N) < 3\/N. 
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For this to occur, c m must range between 0.06697, and 0.5330. Hence we can suppose 
0.06697 < c mopt < 0.5330. 


□ 


Remark regarding Lemma 3.3.2 

Lemma 3.3.2 required an upper bound on how far apart a useful pair of kangaroos 
can be when they start their walks. When t ,2 is 4.5, b = —0.5, and zN = N — 1, the 
initial distance between the Wild2 kangaroo that starts its walk at (6 — z)N, and the 
Tame kangaroo that starts his walk at t 2 N, is 6JV — 1 < 6 N. In any method where 
the variables a, b , c, t\ and t ‘2 are within the bounds presented in (A),(B),(C) and (D), 
no useful pair of kangaroos can start their walks further apart than this. 

The same lemma also required a lower bound on the average step size used. (E) shows 
that one lower bound is 0.06697\Z]V. 


Results 

When I ran Algorithm 2 in matlab®, the values for a,b,c,ti,t 2 and c m which were 
returned had a = 0, b = 1.3578, c = 0.7158, t\ = 0.7930, t ,2 = 0.9220, and c m = 0.3118. 
Algorithm 2 computed averages to be 0.3474 in this case. 

Using the result of ( 14 ) (see the top of page 40), we see that in an algorithm where 
a,b,c,ti,t 2 and c m are defined to be these values requires on average (5 x 0.3474 + 
o(l))\/N ± 0(1) = (1.737 + o( l))y/N ± 0(1) group operations to solve the IDLP. 
Formula ( 13 ) also implies that the expected number of steps until the first collision 
will be 0.3474 y/N ± 0(1) steps ( 15 ). 


3.4 Five Kangaroo Method 


I now present my five kangaroo algorithm. 

If we are solving the IDLP on an interval of size N over a group G, and we start the 
walks of five kangaroos at the group elements h, g L3578Ar /i -1 , g°- ll5HN h 1 g°- 922N ; and 
g0.793N^ an( j uge an average step size of 0.3118\ZiV, and let the kangaroos walk around 
the group G in the manner defined in section 3.1, then we can expect to solve the IDLP 
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in on average (1.737 + o(l))y/~N ± 0(1) group operations. 

Note that 1.35781V,0.71581V,0.9221V, and 0.7931V might not be integers, so in practice, 
the kangaroos would start their walks at h, gbfi^ 1 , g c h , g t{ . and gt 2 , where b,c,ti, and 
t r 2 are respectively the closest integers to 1.35781V,0.71581V,0.9221V, and 0.7931V. 

There are two main factors which have not been accounted for in this calculation of the 
running time. The first is eluded to in the remark, stated just before Lemma 3.3.1. This 
being, that I calculate the expected running time in the instance where for every z, the 
back kangaroo takes the expected number of steps to catch up to the starting position 
of the front kangaroo in every useful pair of kangaroos, and make the assumption that 
this is proportional to the average expected running time across all possible walks that 
the kangaroos can make. I was unable to find a bound for how much the approximation 
error would be increased by because of this assumption. However, in [3], Galbraith, 
Pollard and Ruprai make the same assumption in computing the running time of the 
three and four kangaroo methods. They were also unable to find a bound for much 
the approximation error would be increased by because of this assumption. However, 
when Galbraith, Pollard and Ruprai gathered experimental results to test how well 
their heuristic estimates worked in practice, they found that their experimental results 
matched their estimated results well [3]. Hence I can assume the magnitude of the 
approximation error is not affected too badly as a result of this assumption. 

The other factor that wasn’t accounted for in my calculation of the running time, was 
how I ignore the e ™ term in (9) (see page 37). Since m = 0.3118\/N in my 5 
kangaroo algorithm, and in practice, one would typically use kangaroo methods on 
intervals of size at least 2 30 , the multiplicative factor of the approximation error due 

_ i+1 -7 _ 1 _ 

to this is has a lower bound of > e o.3iis -/n > e o.3ii8v^®° > 1 — (7 x 10~ 4 ), and an 

upper bound of 1. 

This five kangaroo algorithm is therefore a huge improvement on the previously optimal 
five kangaroo method of Galbraith, Pollard, and Ruprai, which required at least 2 y/~N 
group operations to solve the IDLP on average. This algorithm also beats the running 
time of the three kangaroo method, so it therefore answers one of the main questions 
of this dissertation. This being, ’Are five kangaroos worse than three?’. 
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Chapter 4 

Seven Kangaroo Method 


Using the same idea that was applied by Galbraith, Pollard and Ruprai in [3] in extend¬ 
ing the three kangaroo method to the four kangaroo method, the five kangaroo method 
can be extended to give a seven kangaroo method, with slightly improved running time. 
If we are solving the IDLP on an interval of size N, let A,B, and C respectively be 
the closest even integers to 0,1.3578IV, and 0.71581V, and let T\ and T 2 be the closest 
integers to 0.4221V, and 0.7931V. Suppose we start the walks of 7 kangaroos at the 
group elements h, g B h _1 , g c h , g Tl , g Tl+1 , g T2 , and g T2+l . Then we are effectively 
starting two WildI kangaroos at positions z, and C + z, one Wild2 kangaroo at the 
position B — z, and four Tame kangaroos at the positions T\, T\ + 1, T-j and T 2 + 1. 
Now z, B — z and C z are either all odd, or all even. Hence all WildI and Wild2 
kangaroos start their walks an even distance apart. Also, exactly one of T\ and T\ + 1, 
and exactly one of T 2 and T 2 + 1 are of the same parity as z, B — z and C + z. I will 
let T\ useful and T 2 useful denote the Tame kangaroos whose starting positions are of the 
same parity as the starting positions of the WildI and Wild2 kangaroos, and T\ ugeless 
and T 2 , denote the two other tame kangaroos. 

Now suppose we make all step sizes even. Then Ti , and T 9 , will be unable to 
collide with any other kangaroo, excluding themselves. However, Ti uaefun T 2 useful , and 
all WildI and Wild2 kangaroos are able to collide, and are all starting their walks at 
at almost the exact same positions as the five kangaroos do in the five kangaroo method 
of section 3.4. Hence, assuming the algorithm is arranged so that all kangaroos jump 
one after the other in some specified order, then these 5 kangaroos (T\ useful ,T 2 useful , the 
Wild2 kangaroo, and the two WildI kangaroos) are effectively performing the five 
kangaroo method of section 3.4, except over an interval of size N/ 2, since the fact that 
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all step sizes are even means that only every second group element is being considered 
in this method. Hence from the statement of ( 15 ) (see the results section on page 44), 
the expected number of steps until the first collision occurs is (0.3474\/lV/2 ± 0(1)) 
= 0.2456 VN ± 0(1) steps. However, since there are now 7 kangaroos jumping at 
each step, the expected number of group operations until the first collision occurs is 
7x 0.2456 V r N ±0(1) = 1.7195 VN ±0(1) group operations. By defining the probability 
that a point is distinguished in the same way as it was in the five kangaroo method, 
we can conclude that the seven kangaroo method presented here requires on average 
an estimated (1.7195 ± o(l)) y/N ± 0(1) group operations to solve the IDLP. 

As I have already stated, currently the fastest kangaroo method is the four kangaroo 
method. This has an estimated average running time of (1.714 + o(l)) y/~N group op¬ 
erations. Therefore, the seven kangaroo method presented here is very close to being 
the optimal kangaroo method. 



Chapter 5 

Conclusion 


The main results of this thesis were the following. 


• Result 1: The presentation of a five kangaroo algorithm which requires on av¬ 
erage (1.737 + o(l))\/]V ± 0(1) group operations to solve the IDLP. 

• Result 2: The presentation of a seven kangaroo method that requires on average 
(1.7195 + o(1))VN ± 0(1) group operations to solve the IDLP. 


For clarity, I will restate the main questions that this thesis attempted to answer 
here also. 


• Question 1: Can we improve kangaroo methods by using larger numbers of 
kangaroos? 

• Question 2: Are 5 kangaroos worse than three? 


Before this dissertation, the four kangaroo method of Galbraith, Pollard, and Ruprai 
[3] was by the far the best kangaroo algorithm. This algorithm has an estimated av¬ 
erage running time of (1.714+ o(l))\/?V group operations. It was unknown whether 
we could beat the running time of the four kangaroo method by using more than four 
kangaroos. The fastest algorithm that used more than four kangaroos was far slower 
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than the four kangaroo method, requiring on average at least 2 \fN group operations 
to solve the IDLP. 

The five and seven kangaroo algorithms presented in this report are a significant im¬ 
provement in kangaroo methods that use more than four kangaroos. Even though the 
running time of the methods presented in this thesis did not beat the running time of 
the four kangaroo method, they came very close to doing so. Therefore, even though 
the main question of this dissertation (Question 1) still remains unanswered, we can 
now have more confidence that kangaroo methods can be improved by using more than 
four kangaroos. 

Question 2 was also answered in this thesis, since the estimated average running time 
of the five kangaroo method presented in section 3.4 ((1.737 + o(l))\/fV ± 0(1) group 
operations) beat the estimated average running time of the three kangaroo method of 
[3] ((1.818 + o(1))VN group operations). 
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